Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix/xss issues on data attributes #27047

Merged

Conversation

Projects
None yet
2 participants
@don-spyker
Copy link

commented Aug 10, 2018

fix of xss issues that have been fixed in v4.x already + fix of two additional xss issues

Fixes #26625 / CVE-2018-14040
Fixes #26628 / CVE-2018-14042
Fixes #27044 / CVE-2018-20676
Fixes #27045 / CVE-2018-20677

@don-spyker don-spyker closed this Aug 10, 2018

@don-spyker don-spyker reopened this Aug 10, 2018

@don-spyker don-spyker force-pushed the don-spyker:fix/xss-issues-on-data-attributes branch from 5fd1134 to ae29b6a Aug 10, 2018

@don-spyker don-spyker referenced this pull request Aug 10, 2018

Closed

v3.4 release #25679

@@ -16,7 +16,9 @@
var Affix = function (element, options) {
this.options = $.extend({}, Affix.DEFAULTS, options)

this.$target = $(this.options.target)
var target = this.options.target === Affix.DEFAULTS.target ? $(this.options.target) : $(document).find(this.options.target)

This comment has been minimized.

Copy link
@Johann-S

Johann-S Aug 10, 2018

Member

There is no need for your ternary here: $(document).find(this.options.target) is enough

This comment has been minimized.

Copy link
@don-spyker

don-spyker Aug 10, 2018

Author

I tried that first, but that broke the functionality as the default is "window" and $(document).find('window') didn't work while $(window) evaluates correctly.

This comment has been minimized.

Copy link
@Johann-S

Johann-S Aug 10, 2018

Member

Ok I understand 👍

@Johann-S
Copy link
Member

left a comment

You need unit test for each plugins you changed

@Johann-S Johann-S added js v3 labels Aug 10, 2018

Dominik Speicher Dominik Speicher

@Johann-S Johann-S merged commit 2a5ba23 into twbs:v3.4.0-dev Aug 13, 2018

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

XhmikosR added a commit that referenced this pull request Sep 19, 2018

Fix/xss issues on data attributes (#27047)
* fix(collapse): xss CVE-2018-14040

Fixes #26625

* fix(tooltip): xss CVE-2018-14042

Fixes #26628

* fix(tooltip): XSS on data-viewport attribute

Fixes #27044

* fix(affix): XSS on target config

Fixes #27045

XhmikosR added a commit that referenced this pull request Sep 19, 2018

Fix/xss issues on data attributes (#27047)
* fix(collapse): xss CVE-2018-14040

Fixes #26625

* fix(tooltip): xss CVE-2018-14042

Fixes #26628

* fix(tooltip): XSS on data-viewport attribute

Fixes #27044

* fix(affix): XSS on target config

Fixes #27045

XhmikosR added a commit that referenced this pull request Sep 19, 2018

Fix/xss issues on data attributes (#27047)
* fix(collapse): xss CVE-2018-14040

Fixes #26625

* fix(tooltip): xss CVE-2018-14042

Fixes #26628

* fix(tooltip): XSS on data-viewport attribute

Fixes #27044

* fix(affix): XSS on target config

Fixes #27045

XhmikosR added a commit that referenced this pull request Sep 19, 2018

Fix/xss issues on data attributes (#27047)
* fix(collapse): xss CVE-2018-14040

Fixes #26625

* fix(tooltip): xss CVE-2018-14042

Fixes #26628

* fix(tooltip): XSS on data-viewport attribute

Fixes #27044

* fix(affix): XSS on target config

Fixes #27045

XhmikosR added a commit that referenced this pull request Sep 19, 2018

Fix/xss issues on data attributes (#27047)
* fix(collapse): xss CVE-2018-14040

Fixes #26625

* fix(tooltip): xss CVE-2018-14042

Fixes #26628

* fix(tooltip): XSS on data-viewport attribute

Fixes #27044

* fix(affix): XSS on target config

Fixes #27045
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.